Understanding IDS and IPS in Network Security

Sep 27, 2024

Network-Based Intrusion Detection and Prevention Systems

Introduction

  • IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are crucial for network security.
  • Both systems monitor network traffic to identify potential security threats.
    • IDS: Alerts the user about potential security threats.
    • IPS: Actively blocks threats to prevent them from penetrating the network.

IDS vs. IPS

  • IDS:
    • Provides alerts or alarms for detected threats.
    • Does not block traffic.
  • IPS:
    • Can block threats before reaching the network.
    • Offers more control over traffic flows.

IPS Configurations

  • Passive Monitoring:

    • The IPS receives a copy of the traffic.
    • Can alert or send an out-of-band TCP reset to halt communication.
    • Limited effectiveness with non-TCP protocols like UDP.

  • In-line Monitoring:

    • All traffic passes through the IPS.
    • Directly blocks malicious traffic.

Detection Methods

  • Signature-Based Identification:

    • Matches traffic against predefined signatures.
    • Effective for known threats.

  • Anomaly-Based Identification:

    • Recognizes deviations from normal traffic patterns.

  • Behavioral and Heuristic Analysis:

    • Detects unusual behaviors or characteristics.
    • Looks for patterns that may indicate an attack.

IPS Rules

  • Rules determine what vulnerabilities to monitor and actions to take.
  • Thousands of rules can be set, e.g., blocking database injections or alerting on malware.
  • Challenge: Finding the right balance in rule settings to minimize false positives and negatives.

Challenges

  • False Positives:

    • Incorrect identification of benign activity as malicious.
    • Example: Webroot false positives in April 2017.

  • False Negatives:

    • Failure to identify malicious traffic.
    • Dangerous as they allow threats to pass undetected.

Conclusion

  • Regular testing and updates are crucial for IPS effectiveness.
  • Comparative industry tests help evaluate IPS performance.
  • Striking a balance in rule settings is key to minimizing alerts and ensuring accurate threat detection.